Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTloMzYtNGpmMi1oeDUz
extlib does not properly restrict casts of string values
The extlib gem 0.9.15 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
Permalink: https://github.com/advisories/GHSA-9h36-4jf2-hx53JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTloMzYtNGpmMi1oeDUz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 6 years ago
Updated: 8 months ago
Identifiers: GHSA-9h36-4jf2-hx53, CVE-2013-1802
References:
- https://nvd.nist.gov/vuln/detail/CVE-2013-1802
- https://bugzilla.redhat.com/show_bug.cgi?id=917233
- https://github.com/datamapper/extlib/compare/b4f98174ec35ac96f76a08d5624fad05d22879b5...4540e7102b803624cc2eade4bb8aaaa934fc31c5
- http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00002.html
- https://web.archive.org/web/20130203232028/https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/extlib/CVE-2013-1802.yml
- https://github.com/advisories/GHSA-9h36-4jf2-hx53
Blast Radius: 0.0
Affected Packages
rubygems:extlib
Dependent packages: 171Dependent repositories: 4,215
Downloads: 16,900,741 total
Affected Version Ranges: < 0.9.16
Fixed in: 0.9.16
All affected versions: 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 0.9.10, 0.9.11, 0.9.12, 0.9.13, 0.9.14, 0.9.15
All unaffected versions: 0.9.16